I find it interesting that the auditors don't know all of this stuff or have their own experts to tell you what they need. On Fri, Apr 17, 2020 at 4:24 PM John Stoffel <john@stoffel.org> wrote:
"John" == John Malloy <jomalloy@gmail.com> writes:
John> They just want to know who can login as route or sudo
And so do you! :-)
John> These are both Oracle servers and they only have a route and Oracle account
That you know of. Auditing, while painful and not fun unless it's automated, is the solution here.
John> There’s no additional users in the Sudo file
It's not that easy, since you also need to look in /etc/sudoers.d/ and also need to parse out group membership and check the sudoers* files for group entries. It's *not* trivial.
But again, it's the auditing part that the auditors will be concerned about. How to do validate your results? How do you know that us powerful sysadmins aren't hacking the reports and ignoring certain accounts in the reports so that we can hide stuff? How do you know someone *else* hasn't hidden a SUID script or program somewhere else on the system?
It's a damn rathole honestly, and there's a cost vs benefit call you need to make. Or more accurately, management needs to make. 100% security is when the server is off, unplugged from everything and buried in a hole. In concrete. :-)
Be thankful you're not having to go through PCI compliance audits for handling credit cards, I've heard they're even worse!
John
John> On Fri, Apr 17, 2020 at 1:39 PM Dan Ritter <dsr@randomstring.org> wrote:
John> John Malloy wrote:
What is the best way to provide proof to an audit person who needs to know all the root/sudo users for a RHEL 6 server?
(I am new at this company, and don't have access to all their resources)
We can provide the /etc/passwd & /etc/sudoers file (the auditor may not know how to read these files)
We also have the RedHat Identity Management running here, but I am not familiar with this tool.
John> What question did they ask? It's important.
John> -dsr-
John> --
John> John Malloy
John> _______________________________________________ John> bblisa mailing list John> bblisa@bblisa.org John> http://www.bblisa.org/mailman/listinfo/bblisa
_______________________________________________ bblisa mailing list bblisa@bblisa.org http://www.bblisa.org/mailman/listinfo/bblisa